Securing Windows 2000 Server

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Chapter 4: Applying the Security Risk Management Discipline

Published: November 17, 2004 | Updated : May 31, 2006

Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.

The Security Risk Management Discipline (SRMD) is a detailed process that is useful in determining which threats and vulnerabilities have the most potential impact on a particular organization. Because every company has different business requirements, it is impossible to create one list of vulnerabilities that will have the same impact on every environment.

This process is discussed in detail in Chapter 3, “Understanding the Security Risk Management Discipline." This chapter will apply this process to a generic customer. To provide adequate background for this applied example, some high-level details will be provided regarding the target environment. At the conclusion of this chapter, the specific risks addressed will be fully defined, described, and analyzed.

On This Page

Scenario Overview

The solution revolves around a marketing research company named Contoso, Ltd. Contoso has two offices: a headquarters located in Atlanta, Georgia, and a second office located in Boston, Massachusetts. Contoso is a fairly large enterprise, with several thousand employees who use computing resources. Contoso reported revenue of $829 million last year.

The company's infrastructure has been completely upgraded to Microsoft® Windows® 2000 Server, but its client deployment remains in a mixed state. The company currently has a combination of Microsoft Windows 98 SR2, Microsoft Windows NT® Workstation version 4.0, Windows 2000, and Windows XP.

Administration Model

Contoso has segmented the administrative groups of the company into divisions that focus on certain technologies. There is one group of administrators that oversees all domain-wide administration, including the administration of domain controllers. There is also a second group that manages the company's infrastructure services, such as WINS, DHCP, and DNS, as well as the file and print servers in the organization.

Additionally, there is a Web services group that handles the administration of all Internet Information Services (IIS) servers in the environment. IIS is Microsoft Web server software that utilizes HTTP and the File Transfer Protocol (FTP). The administrator groups are detailed in the following table.

Table 4.1 Contoso Administrator Groups

Group name

Responsibilities

Domain Engineering

Domain administration, Domain controller administration, DNS

Operations

WINS, DHCP, File services, Print services

Web Services

IIS administration

Infrastructure Layout

Network Design

Contoso has two data centers connected with two T1 lines. Each office has a portion of the engineering and operations staff providing network infrastructure services. All Web servers are located at the main data center in Atlanta.

Each location has 100-megabits per second (Mbps) connections to all servers and 10-Mbps connections to all client workstations. The servers are segmented on their own subnet. Client computers are on a separate subnet. All computers have access to the Internet through a connection in Atlanta.

Active Directory Design

Contoso has deployed a single Windows 2000 Server forest with an empty root and a single child domain. An empty root domain is a separate domain that houses only the computer accounts for the domain controllers in that domain and the default user accounts.

An empty root domain may be created because of a desire to have multiple child domains that are divided equally among geographic boundaries and managed by a central group. An empty root domain does not provide any additional security but may prevent unintentional errors from affecting the entire forest by separating the Enterprise Administrators and the regional domain administrators. Contoso created an empty root because of expectations that it may branch into additional countries/regions in the future.

A diagram of the high level domain is shown in the following figure.

Figure 4.1 The Active Directory design for Contoso, Ltd.

Contoso has also divided its network into two Active Directory® directory service sites—Atlanta and Boston. The flexible single master operations (FSMO) roles are divided between these sites.

Each site has domain controllers that are running Active Directory integrated with DNS, DHCP, and file and print servers. Atlanta hosts the WINS servers for the entire organization. Most of the organization's server computers running IIS reside in Atlanta; however, some smaller department Web servers are located in Boston.

Contoso is currently upgrading its internal network. It is migrating to a switch–based network topology, but there are still a large number of computers connected by hubs in some of its buildings.

Figure 4.2 The service layout for Contoso, Ltd.

This figure shows the server–based distribution of services within Contoso but does not accurately represent the total number of servers within the organization.

Business Requirements

As mentioned, Contoso is a marketing research company. Marketing research is an industry that focuses on planning and controlling the sum of activities involved in directing a flow of goods and services from producers to consumers, including product packaging, pricing, promotion, and physical distribution to meet the needs of a particular market.

To find out what the market's needs are, market researchers must learn as much as they can about their customers. To help facilitate this learning, Contoso provides market researchers with detailed information about their target markets.

The majority of Contoso's marketing information is housed in IIS servers located within the organization. Contoso's marketing research personnel use the internal marketing research Web servers when gathering detailed information for their customers. Some of this information is also located on file shares, but the information on these file shares is only a subset of the information available on the intranet servers.

Contoso wants to ensure that its internal data is secure and stays secure. Marketing research is a very competitive field, and the company's research data is its primary competitive advantage over other companies in the same field. Because of this factor, maintaining a high level of security for the company's marketing research data is the top priority of the organization.

A separate project has been started to address the security of Contoso's external connectivity and its perimeter network. These concerns are out of scope for this project.

Identifying Security Risks

The first step in any security project is to define the security risks that need to be addressed. Security risks are a combination of assets, the threats that can affect those assets, and the vulnerabilities of those assets that can be exploited in some manner. A good analogy of these types of relationships is a house.

The house is an asset. It has value and should be protected. A robber is a threat agent to the house because he has the potential to damage the house or steal items. The windows in the house are a required feature; however, any open window becomes a vulnerability because the robber can exploit this vulnerability to enter the house. This simple example shows how a threat agent may exploit a vulnerability to gain access to an asset.

The first step to fully secure an organization's computer environment is to identify the assets in the environment, the threats that could affect the environment, and the vulnerabilities of the identified assets. Following this process in an organization will help establish a set of security risks that can be adequately analyzed and prioritized.

Identifying Assets

Assets can include a wide variety of items. This chapter will discuss only a subset of computing assets. Identifying these assets can be very simple in some organizations and very difficult in others, depending on the procurement processes and asset tracking mechanisms in use.

More important than knowing the number of servers deployed in your organization is knowing the functions that the servers provide. For example, Contoso is a marketing research company that uses Web servers to provide its employees access to market data. The company may determine that these computers are more important to it than a print server. However, Contoso may also determine that different Web servers in its environment have different levels of importance to the overall organization.

Additionally, assets are not just physical hardware. In a computing environment, potential assets that should be evaluated include services such as name services provided by a DNS server. Assets could also include user accounts such as service accounts or administrator accounts.

Prioritizing Assets

Although identifying assets is a qualitative process, the overall benefits to the business goals of the organization should be considered when determining the potential value of each server or group of servers. By doing so, an asset priority (AP) can be defined for each server or server group. Primary factors to consider as part of this process include:

The financial value of the asset

The cost to build the asset

The cost to protect the asset

The value of the asset to the competition

The cost to recover the asset

It can be very difficult to rank all of an organization's assets on the same scale, and it may help to break them down into similar technologies and then rate them. By approaching it this way, it will be much easier to compare the relative value of different assets using a similar scale in your organization.

Establishing Asset Values

When identifying assets, it is also extremely important to determine an asset value (AV) for each resource. The AV is the monetary value of the asset. When determining an AV, it is important to take a number of items into account, including the physical value and the business value of the data located on those assets.

Physical value can be calculated quite easily. This amount is generated based on the following costs:

Hardware costs

Software costs

Support costs

Replacement costs

The business value of the data contained on those assets may be very difficult to express in numbers. The value of the data may be based on the data’s contribution to the overall financial goals of the company, or it could be based on the value of the data to an external person or organization. Typically, this value is very debatable but should provide relative impact of the loss of the data compared to data on similar assets. Often, the value of the data far surpasses the value of the hardware itself.

The indirect value of the asset may be the most difficult to quantify. This number should be the value that the company stands to lose through negative publicity, lawsuits, or loss of business if this asset is lost or compromised. Additionally, this value may include the cost to the business to replace or repair the damage caused by the loss of the asset.

Finally, the value of the data to an external organization should be evaluated. As with the indirect business value, this value can be difficult to calculate. This number should reflect the monetary value that an external agent would pay for the actual data contained on the asset.

The AV is a dollar figure that can be used when computing loss expectancies for the asset. The AV should be calculated by adding the physical value of the asset, the direct business value that it provides, the indirect business value that it provides, and the value of the asset to an external organization.

As mentioned earlier, this number is very difficult to determine. The physical value of a server is only a fraction of the computer’s total value. The real value that an asset brings to the organization is provided through its functionality or the data that it contains.

Contoso's Asset List

As part of the Security Risk Analysis process, an organization's assets need to be identified and rated to provide input to the overall security risk statement and a means to calculate their relative value to the organization. The Security Risk Analysis process provides a method of identifying risks and assessing the possible damage that could be caused to justify security safeguards.

Contoso has identified several groups of assets that it would like to address in the first phase of the project—one of which is the Windows 2000 infrastructure. This grouping includes the domain controllers, file and print servers, IIS servers, and infrastructure servers. Contoso has defined infrastructure servers to specifically include DNS, DHCP, and WINS services.

These servers were ranked based on the criteria listed earlier. As part of this process, the Domain Engineering, Operations, Web Services, and extended security teams determined an overall asset priority (AP) rating for each group of servers. To determine this rating, the teams based their ratings on the following scale of 1 to 10, which can be used to designate assets that are crucial to the company:

1. The server provides basic functionality but does not have a financial impact on the business.

3. The server houses important information, but the data could be quickly and easily recovered.

5. The server contains important data that would take some time to recover.

8. The server contains information that is important to the business goals of the company. The loss of this equipment would have a major effect on the productivity of all users.

10. The server has a major impact on company business. The loss of this equipment would result in a competitive disadvantage.

The asset priority ratings applied to some of Contoso's assets are shown in the following table. This list is not complete, but it is a sample of the overall rating performed in Contoso's environment.

Table 4.2 Contoso Asset Priorities

Server classification

Asset priority (AP)

Root domain controllers

8

Enterprise administrator accounts

10

Child domain controllers

8

Northamerica domain admin accounts

10

Northamerica domain user accounts

5

Root DNS services

4

Child DNS services

5

WINS servers

3

DHCP servers

1

File and print servers

8

Research IIS servers

10

Department IIS servers

6

Human Resources IIS servers

7

Additionally, asset valuation was performed for each of the servers in the following table.

A more detailed breakdown of these values can be viewed in the Excel workbook "JA0401.xls" that is included with this solution.

Table 4.3 Contoso Asset Valuation

Server classification

Physical value

Additional value

Asset value (AV)

Single root domain controller

$18,000

$10,000

$28,000

Enterprise administrator accounts

$0

$829 million

$829 million

Single child domain controller

$18,000

$50,000

$68,000

Northamerica domain administrator accounts

$0

$829 million

$829 million

Northamerica domain user accounts

$0

$1,000

$1,000

Root DNS services

$18,000

$30,000

$48,000

Child DNS services

$18,000

$30,000

$48,000

WINS server

$18,000

$0

$18,000

DHCP server

$18,000

$0

$18,000

File and print server

$40,000

$480,000

$520,000

Research IIS server

$46,000

$550,000

$596,000

Department IIS server

$32,000

$50,000

$82,000

Human Resources IIS server

$32,000

$300,000

$332,000

Understanding Asset Priorities and Asset Values

Company assets can be rated in many different ways. The criteria used to make these decisions for Contoso's assets are detailed in this section. The following information describes the decisions that were made in this particular scenario. Your scenario may be different, and different values could be calculated based on business needs and requirements. These values are extremely subjective and are provided to give an overview of the process that was performed in Contoso's unique environment.

Root Domain Controllers

Root domain controllers are important pieces of the infrastructure; however, they contain little data that could not be easily recreated. Contoso has several domain controllers in its root domain, providing redundancy for the services that it provides. They provide little direct financial benefit for the company but hold an enormous amount of power. For these reasons, these computers were assigned an asset priority of 8.

The root domain controllers have little data on them that has financial value outside of the company, but a compromise of these servers could limit users’ information. Because of that, their business data was valued at approximately $10,000. Along with the hardware costs, the total AV for the root domain controllers is estimated at $28,000.

These numbers account for a single domain controller and not the priority of the overall domain services. The domain and enterprise administrator accounts were evaluated as their own resources to calculate their associated risks.

Contoso could have additionally evaluated the priority and value of the overall domain services to account for any risks that may eliminate all domain functionality. Such an evaluation was deemed out of scope for the current project.

Enterprise Administrator Accounts

The accounts in the Enterprise Admins group are the most important accounts in the organization. An enterprise administrator can obtain control of any computer in the forest. These accounts should be used only as necessary and should have the tightest security in the organization.

Because the power of the Enterprise Admins group is so great, the priority of these assets is rated at 10. The loss of control of these accounts could result in disaster for the organization.

The value of the accounts that are in the Enterprise Admins group is enormous. The value is equivalent to that of all data stored in or secured by the Windows 2000 forest. Therefore, the value of the Enterprise Admins accounts was valued to be equivalent to the revenue of the organization over the past year—$829 million. The Enterprise Admins group should be protected as if the entire business depended on its security.

Child Domain Controllers

Child domain controllers contain critical information about users in the organization, including their passwords. Loss or compromise of this information could have a very large impact on the company. Contoso has provided multiple domain controllers in all locations, reducing the impact of a single failure. Because of this design, it would be easy to recover the loss of a single domain controller. The combination of these factors helped Contoso rate the child domain controllers with an asset priority of 8.

The child domain controller data was valued at $50,000. This value is an estimate that is based on the amount that an external organization would pay for the user phone numbers and e-mail addresses. In combination with the hardware value, the AV of the child domain controllers was estimated at $68,000.

As with the root domain controllers, these numbers do not take into account the compromise of the domain account or the loss of all domain services. Instead, the estimate focuses purely on the data and functions provided by a single domain controller.

Northamerica Domain User Accounts

The domain administrators are not the only accounts of interest in an organization. Although a user account may not provide as much immediate power as that of a domain administrator, it is another foothold that an attacker could use to overtake the organization. The stability and integrity of user accounts is one of the primary concerns of the Active Directory® directory service. Therefore, the priority of the user accounts is rated a 5.

The physical value of a single user account is minimal. There is some administrative work that would be required to restore the account, and there would be some amount of lost functionality. But of all the assets, the single user account is one of the most difficult to put a price on. The cost to recreate the account and make up for lost productivity helps estimate the AV of a user account at approximately $1,000.

Root DNS Services

Root DNS servers provide a large amount of functionality but can be very easily recreated. The data in these servers would provide little information to outside parties, and the overall impact of such a data loss would be minimal. However, if the DNS servers were poisoned, users could be redirected to other locations and lose access to necessary resources. For these reasons, the root DNS servers were assigned an asset priority of 4.

A pure DNS server contains no business data. However, there could be a loss of functionality and productivity if these services were tampered with in any way. Based on an estimate of the time that it would take to restore the functionality and correct any issues, along with an estimate of the productivity losses, the additional value of the root DNS services was estimated to be approximately $30,000. Combined with the hardware value, the AV of the DNS servers is estimated at $48,000.

Note The Contoso DNS servers are running as part of the domain controllers, but the decision was made to treat these services separately.

Child DNS Services

Child DNS servers contain information about all servers, client workstations, and some network services in the child domain that could be valuable to interested parties. The servers do not directly affect the company's profits, even though their value in maintaining the smooth functioning of Contoso's network is very high. Because the data housed in these servers can be easily recreated on DNS servers, they were assigned an asset priority of 5.

As with the root, a pure DNS server contains no business data. However, there could be a loss of functionality and productivity if these services were tampered with in any way. Based on an estimate of the time that it would take to restore the functionality and correct any issues, along with an estimate of the productivity losses, the additional value of the DNS services in the Northamerica domain was estimated to be approximately $30,000. Combined with the hardware value, the AV of the DNS servers is estimated at $48,000.

Note Again, the Contoso DNS servers are running as part of the domain controllers, but the decision was made to treat these services separately.

WINS Servers

WINS servers contain information similar to that in DNS servers. However, the use of WINS servers is limited primarily to the older client workstations in Contoso's environment that are still running Windows 98 and Windows NT Workstation 4.0. Again, in this case, because the server data can be easily recreated, they were assigned an asset priority of 3.

A WINS server contains no business data. The information that WINS servers contain is only the NetBIOS name information for hosts in the environment. A loss in productivity could affect the loss of all WINS services in the environment, but because of redundancy, this risk is mitigated. The total AV for a WINS server is estimated at $18,000.

Note This figure does not include the value of the WINS services in the entire organization. It is just the value of a single WINS server.

DHCP Servers

DHCP servers contain little information that would provide value to another organization. These servers are easily recreated and do not provide any direct profit for the company. For these reasons, they were assigned an asset priority of 1.

A DHCP server contains only information about computers and their IP addresses, as well as some DHCP scope information. These servers contain no information that could provide business value, although they do provide business functionality. Contoso has implemented multiple DHCP servers in its environment and has utilized the 80/20 rule when creating their DHCP scopes to allow for the loss of a DHCP server. Because of this design, the impact of the loss of a single server is greatly reduced. Therefore, the AV of a single DHCP server is estimated at $18,000.

Note This figure does not include the value of the DHCP services in the entire organization. It is just the value of a single DHCP server.

File and Print Servers

File and print servers contain a large amount of the intellectual property of the company. The loss of these computers could be worth a large amount of money to both the company and its competitors. It would be extremely costly to recreate the data in these servers. Because of these factors, Contoso's file and print servers were assigned an asset priority of 8.

The data that is kept on each of the file and print servers has been averaged at $200,000 per server. This number is based on the value that the data currently brings to the organization, as well as the cost to generate the data.

Research IIS Servers

Research IIS servers at Contoso publish the majority of marketing research data for the company's internal users. These servers contain the data that give the company its primary competitive advantage. For these reasons, the research IIS servers are critical and were assigned an asset priority of 10.

Each of the research IIS servers contains data that has been valued at $450,000. Again, this number is based on the value that the data currently brings to the organization, as well as the cost to generate the data. Additionally, the value of this data was estimated to have a worth of approximately $80,000 to an external organization. Combining this estimation with the cost of the hardware provides an AV of $596,000 for each of the IIS servers dedicated to marketing research data.

Department IIS Servers

The department IIS servers also contain valuable data on current and future projects for Contoso but do not contain a large amount of information with pure business value. These servers are primarily used as a means of communication. For these reasons, the department IIS servers were assigned an asset priority of 6.

The data contained by department IIS servers was averaged at $50,000 for each server. As mentioned earlier, this figure is based on the value that the data currently brings to the organization, as well as the cost to generate the data. Combined with the hardware costs, the AV for the department IIS servers is $82,000.

Human Resources IIS Servers

The human resources IIS servers are the front-end severs to another back-end HR system. These servers can be easily recreated and do not house a large amount of critical business data. However, these servers are costly to develop, so they were assigned an asset priority of 7.

The value of the business data on the IIS servers has been determined to be $100,000. This information contains a large amount of personal data and internal company information that was estimated for this value to an external organization. Additionally, a value of $200,000 was estimated to address any potential lawsuits or negative publicity with the release of this information. Combined with the hardware value of the IIS server, the AV for these assets is estimated at $332,000.

Identifying Threats

After identifying and valuing the assets that must be accounted for in Contoso's security project, the next step is to determine which threats need to be addressed to protect the assets. Threats come in many forms, and each poses different risks to company assets. There are an unlimited number of threats for the assets within an organization. These threats are discussed in detail in Chapter 2, "Defining the Security Landscape." In short, threats can be divided into three main categories: natural, mechanical, and human.

Threats Identified in Contoso's Environment

As part of its Securing Windows 2000 project, Contoso decided that it would consider only potential malicious attacks. The company's operational procedures and training policies are in place to help reduce the threat of accidental misuse of their computer systems. Contoso's physical network design and computer system requirements also help reduce mechanical threats. Additionally, Contoso has developed some well-defined contingency plans in case a natural disaster should strike.

By reducing the number of threats that will be addressed in the security project, you can make it much easier to gain a full understanding of the attack surface and the project boundaries needed to establish your security policies and procedures. However, setting these boundaries may also mean that additional projects become necessary to fully address all threats to your organization's environment.

Security Risk Analysis—Determining Threat Probability

Determining the probabilities of specific threats is very important to the overall process of security risk analysis. When creating security risk statements for your organization, these numbers will help determine the criticality of each risk.

Contoso defined threat probability (TP) as the probability of a potential threat occurring. It developed a scale for all high-level threats and then ranked them from 0 to 1.0. Based on this scale, a threat with a ranking of 0.1 has a very low probability of occurrence, but one ranked 1.0 will definitely occur, as detailed in the following table.

Table 4.4 Contoso Threat Probabilities

Threat

Probability

Fire

0.05

Water

0.025

Wind

0.025

Earthquake

0.001

Power failure

0.0002

Hardware failure

0.1

Network failure

0.3

Uninformed users

0.2

Malicious code (viruses)

0.6

Industrial spies

0.1

Internal attackers

0.6

External attackers

0.4

The probability rated for internal attackers and external attackers is based on a combination of the results of the 2002 "Computer Crime and Security Survey" and Contoso's previous experiences over the last year.

These threat probabilities are only a subset of the threats that could be identified, but it shows how a list may be developed based on past experience, environmental conditions, geography, and an organization's industry.

Security Assessments

As with most information system projects, the best way to plan a security project is to survey the existing landscape. You should review policies and procedures and investigate the use of technology at the physical, perimeter, network, host, application, and data levels. There are many goals of security assessments, so there are several categories of things that you can perform to achieve them. These categories include:

Operational assessments

Penetration testing

Vulnerability assessments

Intrusion detection auditing

There are a number of Microsoft partners that provide these services. You can find a listing of Microsoft Certified Partners at http://mcspreferral.microsoft.com/default.asp.

The three security assessment categories are described in greater detail in the subsections that follow.

Operational Assessments

Security starts with a well-defined policy. The first step to securing an organization should be a thorough review of the organization’s documented policies. An operational assessment usually results in a detailed investigation of a company's policies and procedures. Some operational assessments may extend into the high-level use of technology.

The goal of an operational assessment is to help your organization identify its current state of security and operations management readiness. Additionally, it should help identify both general and specific recommendations that can improve security readiness and reduce the total cost of ownership (TCO) for your organization.

Penetration Testing

Penetration testing can help identify ways that an unauthorized individual can get into an organization. Such testing can include:

War dialing to identify unsecured access by phone. A war dialer is tool that a hacker uses to gain unauthorized access to a modem telephone number.

War pinging to identify any externally available hosts. These computers can be leveraged for additional testing.

War driving, a relatively new concept, which is the process of attempting to locate any unsecured wireless access points in an organization.

Social engineering to locate individuals who may be tricked into revealing their passwords or some form of security information that would accidentally provide classified information.

Building penetration to determine whether physical access to the facility can be easily obtained.

These tests are useful to increase the attention that an organization places on security policies. One of the largest considerations in performing a penetration test is identifying a reputable external organization to perform the tests. Any penetration testing should have written approval prior to beginning. In most companies, such unauthorized actions may be grounds for termination.

Vulnerability Assessments

A vulnerability assessment takes the penetration testing a step further. Instead of identifying some of the potential access routes, a vulnerability assessment defines all possible entry points into the organization. Inside the organization, the security project team continues the vulnerability assessment by identifying other internal asset weaknesses. This testing is usually performed by internal resources that have administrative privileges on all computers.

A vulnerability is a weakness in an information system or its components (for example, security procedures, hardware designs, and internal controls) that could be exploited to produce an information-related misfortune. Usually a vulnerability exists because of the current configuration of an asset. As the configuration of the assets changes, you should repeat vulnerability assessments to validate the updated configuration and ensure that it remains secure.

Vulnerabilities can arise from weaknesses at any point in the defense-in-depth model. This model provides a strategy to protect resources from external and internal threats. Defense in depth (sometimes referred to as security in depth or multilayered security) is taken from a military term used to describe the layering of security countermeasures to form a cohesive security environment without a single point of failure. This model includes addressing problems with people, processes, or technology, and can be identified using this assessment strategy.

Vulnerability scanning can be performed with tools or by manual processes. An automated scan can be used to identify each computer or component of the network. After it has identified potential targets, the scan will run a series of tests to determine potential vulnerabilities in the asset.

Manual scans may leverage the information that an assessment tool provides to obtain more detailed information about the target environment. By going a step further, the manual process may identify areas of weakness that were not apparent in the automated process.

Intrusion Detection Audit

An intrusion detection audit usually combines the results of several of the other tests and validates that an organization’s intrusion detection tools are working as expected. The agency performing the intrusion detection audit will use information from the operational assessment to understand the policies and processes that are currently in place within the organization. The penetration testing results will give the person or group performing the test an overview of the different areas in which the organization is exposed. The vulnerability assessment will let the group understand what problems currently exist in the organization.

A third party hired to perform an intrusion detection audit can use all of this knowledge and attempt an intrusion from outside the organization. One major difference from the vulnerability assessment is that this testing is usually performed by an external agency with no administrative rights. If this process can be completed successfully, the target company must reevaluate its intrusion detection system implementation. If a successful penetration occurs, the group performing the testing will repeat the process inside the organization to continue to determine what additional information it can gain without alerting the intrusion detection system or administrators.

The intrusion detection audit is the most comprehensive test and should be completed only by reputable organizations. Such testing requires permission from executives at the highest levels, and the full impact of such testing should be fully evaluated prior to its initiation.

Vulnerability Assessment Tools

Some companies may want to purchase a vulnerability assessment tool rather than rely on a third party to perform scans. Both approaches have advantages and disadvantages. There is a great deal of value in having a third party review a company's infrastructure. However, the cost of this process may be a limiting factor.

If an organization wants to use a vulnerability assessment tool on its own, the organization should consider the following issues to ensure that the assessment tool includes as many of the following capabilities as possible.

Vulnerability Database Listings

The vulnerability assessment tool should be able to use multiple sources of vulnerability listings. For example, these listings may include Microsoft Security Bulletins, the Common Vulnerabilities and Exposures (CVE) database, the CERT Coordination Center, or BugTraq.

Update Capability

The tool should automatically update its test results. The list of vulnerabilities that a tool scans for and the tests that it runs are only as good as the latest update that it provides. Scanning with a tool that requires manual updates increases the chances that the administrator may not be checking for all possibilities.

Customizing Capability

The tool should have customizing capability. Every environment is different. There are vulnerabilities that some organizations are willing to live with because of how their environments are configured. Such organizations may not want to be alerted every time a known issue is identified. Additionally, these organizations may have other specific items to investigate that are not common in other environments.

Network Security

The vulnerability scanning tool should check for network security. As part of these tests, it should scan for open ports that may identify services that have not been properly secured.

Host Security

The tool should check for security on the host operating system. This check includes scanning for unnecessary services that may be running and analyzing groups and accounts on the computer and unnecessary utilities on the server. It should ensure that proper access control lists (ACLs) are applied on the event logs, that registry permissions have been appropriately tightened, and that only the necessary user rights assignments have been assigned.

Application Security

Application security should be included in the testing as well, including baseline operating system settings, domain controller and domain setting scans, and Web server scanning. Specifically, if IIS is used in the organization, the tool should monitor the IIS metabase settings, which contain configuration information about the IIS server. The tool should also verify that the inetpub directory has been moved to another volume and that the IIS Lockdown Tool and URLScan have been run.

Data Security

The vulnerability scanner should check data security. Items to consider include security on core operating system files, service pack levels, hotfixes installed, ACLs, and file share permissions. Hotfixes are cumulative packages composed of one or more files used to address a defect in a product. They address specific customer situations and may not be distributed outside the customer organization without written legal consent from Microsoft.

Security hotfixes are somewhat different, as they should be immediately applied to any server that meets the specified criteria. Security hotfixes do not require legal consent and can be distributed as necessary.

Prioritization

Finally, the tool should help define the high-priority issues that are identified. For example, the Microsoft Security Response Center identifies patches based on the vulnerabilities that they address and then assigns each a rating. The center is a Microsoft business unit responsible for the investigation and remediation of all security vulnerabilities involving Microsoft products.

These ratings include critical, important, moderate, and low vulnerabilities. Although these ratings may be general, they can help an organization prioritize which patches to apply immediately, and how to address them with different groups of equipment.

Security Risk Analysis Process Inputs

As part of the Security Risk Analysis process, each vulnerability will need to be evaluated using several criteria. These inputs help determine the overall risk that the organization is exposed to by each threat. This determination can be done by creating a concise risk statement for each attacker, exploit, vulnerability, and asset combination. Although this determination may seem to require a lot of work, it will help fully define the issues that need to be addressed as part of the overall security project for your organization.

Risk Statements

When making security risk statements, each possibility should be addressed separately, and the specific consequence of each risk should be described. If there are multiple consequences, the risk statement may be too broad and should be further defined.

Every risk statement should have a condition that leads to a consequence. As seen in Chapter 2, "Defining the Security Landscape,” the security risk statement that you develop should be based on the following form:

IF threat agent uses a tool, technique, or method to exploit a vulnerability, THEN a loss of confidentiality, integrity, or availability to an asset may result in an impact.

Determining Criticality Factors

The criticality factor (CF) is a measure of the damage that a particular exploit can cause to an asset by utilizing the vulnerability in question. A particular vulnerability may have several different exploits that could be used to attack the asset. Each exploit may have different effects on the target computer, and some research may need to be done to evaluate the potential exploits for each vulnerability.

The criticality factor should be measured on a scale of 1 to 10, where 1 indicates very little impact from the exploit and 10 indicates that a huge amount of irrevocable damage could occur.

Determining Effort to Exploit Identified Vulnerabilities

The effort (E) is the amount of work, knowledge, or experience that an attacker would need to use a particular exploit. The level of effort to use the specific exploit should be measured by the simplicity of the attack. There is a wide variety of malicious attackers. They may range from “script kiddies,” who have little knowledge about how or why attacks work (but know what tools can help them gain information), to a true “cracker,” who has a deep technical knowledge of security. A cracker is a person who overcomes the security measures of a computer system to gain unauthorized access.

The effort of a specific exploit should be measured on the same scale as the criticality factor: 1 to 10, where 1 indicates very little skill required to use a particular exploit and 10 indicates that the skills of a seasoned security programmer would be required.

Determining Vulnerability Factors

The vulnerability factor (VF) is the measure of susceptibility to a particular form of attack.

The vulnerability factor of an asset should also be measured on the 1 to 10 scale, where 1 indicates that the particular asset is not readily susceptible to the vulnerability and 10 indicates that the asset is extremely open to the particular issue.

Top Vulnerabilities Identified in Contoso's Environment

Contoso used a vulnerability scanning tool on its network to identify some of the major issues with its configuration. The tool returned a large list of items, prioritized as either High, Medium, or Low risk vulnerabilities. Contoso has decided to immediately try to address the High and Medium risk vulnerabilities during this phase of the security project.

Several of the vulnerabilities can be grouped into larger categories. These vulnerability groupings are discussed along with the specific ones identified. Additionally, each vulnerability is rated for effort, as well as criticality and vulnerability factor.

Buffer Overflows

The vulnerability scanner used in Contoso's environment identified that a number of the servers were susceptible to IIS-related buffer overflows. A buffer overflow is a type of exploit that attackers employ to gain access to a computer. Specifically, the tool identified the unpatched ida/idq buffer overflow that is exploited by the Code Red worm. A worm is a stand-alone, self-replicating program that usually consumes memory, thus causing computers to crash.

Risk Statement

IF attackers use Code Red to exploit ida/idq vulnerabilities, THEN a loss of integrity and availability of the research IIS servers may result in increased traffic on the network.

Because risk statements would need to be created for each vulnerable asset, similar risk statements should be built for the departmental and the human resources IIS servers.

Criticality Factor

The Code Red worm was first discovered on July 17, 2001. The worm propagated itself throughout the Internet at an amazing speed, infecting almost 360,000 servers in 14 hours. Along the way, it defaced Web servers and caused a large amount of extra traffic, flooding many organization's networks.

Because of Code Red's potential impact on its environment, the Contoso security team gave that worm a criticality factor of 9 for all of the organization's IIS servers.

Effort

Code Red was extremely difficult to create. The ida/idq overflow was a particularly complex vulnerability and was initially very difficult to exploit. However, because of the nature of Code Red, it was extremely easy to spread. The Code Red worm propagates itself, so there is little or no skill required to use this exploit. Therefore, the effort required to use this exploit is assigned a rating of 1.

Vulnerability Factor

Contoso continues to see infections of Code Red in both of its server domain locations. It is common for the company's servers to become infected during the build process, even before the computers can be fully patched. Therefore, addressing the known IIS buffer overflows is one of Contoso’s biggest concerns.

Because Code Red is continuing to infect servers inside of the organization, the current server build process is extremely vulnerable to the worm. But security team personnel are patching for this particular issue. The vulnerability factor for Contoso's Web servers is assigned a rating of 8.

NetBIOS Enumeration

The scanner identified that all boxes were vulnerable to NetBIOS enumeration. NetBIOS utilizes a default share for interposes communications (IPC). By default, anyone can connect to this share—no user name or password is required. Although simply connecting to the share will not give someone rights to view files or control processes, it is possible to view a large amount of information.

By creating a null connection (a connection with no user name or password) to the IPC$ share on a computer, potential attackers can use commonly found utilities to view, for example:

Account names

Groups

Shares

Account comment fields

Account last logon times

Account last password changes

This list includes only a few of the easily viewed items, but they represent the types of information that can be obtained without a user name or password.

Risk Statement

IF an attacker uses a NetBIOS enumeration tool to exploit null sessions, THEN a loss of confidentiality of the Northamerica domain controller may result in an unauthorized user gaining account information.

A similar statement should be created for the root domain controller as well.

Criticality Factor

NetBIOS enumeration using null sessions can result in a large security breach. By failing to prevent an unauthorized user from viewing all user account names, account comments, groups, and shares, the organization faces a large risk; it could present an attacker with a number of account names, which is half of a user name/password combination.

Because of the potential impact of compromised user names, Contoso rated the CF of NetBIOS enumeration a 6 for all of the company's domain controllers. Contoso does not create specific user accounts on member servers, but a separate risk statement could be created because member servers do contain shares that can be enumerated. Contoso did not see this factor as a major threat, but the organization would have rated the CF of member servers a 3.

Effort

The effort required to enumerate the NetBIOS information on a specified host is quite low. There are a number of tools freely available on the Internet that automate this functionality after a null session is established on a target computer.

Contoso rated the effort for exploiting this vulnerability a 2.

Vulnerability Factor

The Contoso environment currently does not implement any countermeasures to prevent NetBIOS enumeration on any of its member servers or domain controllers. Therefore, the VF for all servers is rated a 10.

SNMP Enumeration

The scanning tool found that the Simple Network Management Protocol (SNMP) was enabled on the computers and was using the default "public" string.

Contoso uses SNMP services on Windows 2000 servers for reporting events. The company has always used the public string and so was interested to discover that in addition to generic hardware monitoring, SNMP can also be used to return information on other aspects of the computer, including:

Account names

Share names

Share paths and comments

Running services

Open ports

Risk Statement

IF an attacker uses an SNMP enumeration tool to exploit public community strings, THEN a loss of confidentiality of the Northamerica domain controller may result in an unauthorized user gaining access to account information.

A similar statement should be created for the root domain controller as well.

Criticality Factor

SNMP enumeration can provide a large amount of information and can potentially be dangerous, especially if the specified community string is given the ability to write to the target server. Because of its configuration, Contoso assigned a CF rating of 6 for all servers.

If Contoso also had any writable SNMP community strings, a separate risk statement would have had to be generated.

Effort

SNMP enumeration can be easily exploited with several freeware or shareware tools available on the Internet. Contoso rated the effort to use these tools a 2.

Vulnerability Factor

Contoso has SNMP enabled on most of its servers for monitoring, and the company has a default community string name of public, which means the organization is quite vulnerable. Contoso assigned SNMP enumeration a VF of 10.

DNS Enumeration

The vulnerability assessment identified that the DNS servers did not restrict zone transfers. Without securing this feature of DNS, an attacker can easily obtain data from an organization’s DNS server.

Contoso utilizes Active Directory integrated with DNS in Windows 2000. DNS holds a large amount of information about a domain, including server names and Internet Protocol (IP) addresses, services running on the network, and the servers hosting specific services, such as global catalogs and domain controllers.

Risk Statement

IF an attacker uses nslookup to exploit unlocked zone transfers, THEN a loss of confidentiality of the Northamerica DNS may result in computer and service identification.

A similar statement should be created for the root DNS servers as well.

Criticality Factor

DNS enumeration can provide a large amount of information on the hosts and services in the environment, but it does not contain information on specific users or company critical data. Therefore, Contoso assigned a CF factor of 2 for domain controllers.

Effort

DNS enumeration can be performed with tools included on most any operating system. Contoso rated the effort to use these tools a 1.

Vulnerability Factor

Because Contoso has not secured DNS zone transfers in its environment, it has rated the VF of DNS enumeration a 7.

Weak Passwords

The assessment tool chosen by Contoso has additional functionality that allows it to perform basic dictionary attacks against user accounts to identify weak passwords. Additionally, it examines the password hashes in the Security Accounts Manager (SAM) database to determine whether there were any blank or duplicate passwords. If a large number of duplicate passwords is identified, an attacker may determine that these passwords are default passwords used when a new account is set up in the organization.

The information in the SAM is encrypted, but even without trying to crack the passwords it is easy to identify blank or duplicate passwords based on the hash. Because Contoso does not have an account lockout policy defined, an unlimited number of attempts can be made to guess passwords. The scanning tool found a number of passwords consisting purely of common words found in any dictionary, which passwords it was able to break in only a matter of moments.

Risk Statement

IF an attacker uses a brute-force password attack to exploit a lack of password policies, THEN a loss of integrity and confidentiality of the Enterprise Admin accounts may result in an attacker gaining unauthorized access to the organization.

Similar risk statements should be generated for the Domain Admins group and the general user accounts.

Criticality Factor

Weak passwords are the bane of any system administrator. They can allow an attacker to quickly obtain a user account and password combination. Therefore, Contoso assigned this issue a CF of 10.

Effort

Weak passwords can be easily guessed with dictionary attack tools available on the Internet. Contoso rated the effort to use these tools a 2.

Vulnerability Factor

Because Contoso does not have a password policy in place and is not auditing for any logon failures, it rated the VF of weak passwords a 10.

Unencrypted Server Message Block Traffic

The vulnerability scanner detected that servers at Contoso were using the default setting for server message block (SMB) communications.

By default, the Windows NT LAN Manager (NTLM) challenge/response does not ever pass the LanManager (LM) authentication or NTLM hash across the network. However, tools exist that can monitor the traffic of this exchange and use a brute-force method to derive the original LM hash value.

After the hashes have been obtained, several different utilities can be used to crack the hashes into a plaintext password.

Risk Statement

IF an attacker uses a SMB sniffer to exploit unencrypted SMB traffic, THEN a loss of integrity and confidentiality of the Enterprise Admin accounts may result in an attacker gaining unauthorized access to the organization.

Similar risk statements should be generated for the Domain Admins group and the general user accounts.

Criticality Factor

By cracking passwords, an attacker can gain unauthorized access to files and services that could not be obtained from a null session. Therefore, Contoso assigned this issue a CF of 10.

Effort

A publicly available tool can be purchased to provide this functionality. However, the tool must be able to promiscuously view all traffic. Being on a switched network greatly reduces this possibility. Because Contoso is currently upgrading its network infrastructure, it rated the effort to use this tool a 5.

Vulnerability Factor

Because Contoso does not have a password policy in place, there are a number of short passwords that can be quickly obtained using SMB capture techniques. This situation caused the security team to assign the VF for this issue a 10.

Ineffective Auditing

Many of the servers scanned did not have audit settings enabled to a sufficient level to identify potential attacks. For example, the Audit Account Logon setting was not enabled, which could help to identify brute-force attacks against passwords.

Risk Statement

IF an attacker uses a tool that can disable auditing to exploit ineffective auditing, THEN a loss of integrity of the Northamerica domain controller may result in an attacker gaining undetected access to a remote computer system.

Similar risk statements should be generated for the Northamerica domain controllers, all IIS servers, the DHCP servers, WINS servers, and the File/Print servers.

Criticality Factor

An attacker can take advantage of poor auditing configuration with the use of a resource kit utility such as Auditpol. Auditpol can enable the attacker to disable auditing altogether. Contoso assigned the CF of this exploit a rating of 3 because no data is actually compromised, but the situation can hamper the investigations of unexpected attacks.

Effort

The effort to use Auditpol requires the attacker to place the tool on the network and obtain administrative access. The tool is simple to execute, but because administrator access is required, the effort for this exploit is assigned a rating of 4.

Vulnerability Factor

Because Contoso does not have an audit policy in place and is not currently auditing for any security events, the security project team assigned the VF for this exploit a 9.

Unchecked DoS Attacks

A Denial of Service (DoS) attack is any attack that prevents users from accessing resources. There are many different variations of DoS attacks, but some of the most common affect either IIS or the TCP/IP stacks of individual computers.

The scanning tool identified several changes that could be made on computers to secure them from TCP/IP-based DoS attacks.

Risk Statement

IF an attacker uses a DoS attack to exploit TCP/IP DoS vulnerabilities, THEN a loss of availability of the root domain controller may result in a loss of productivity.

Similar risk statements should be generated for the Northamerica domain controllers, all IIS servers, the DHCP servers, WINS servers, and the File/Print servers.

Criticality Factor

A TCP/IP DoS attack would result in a completely unusable computer system. Therefore, Contoso assigned such an attack a CF of 8.

Effort

There are a number of easy to use, graphical utilities to provide this functionality to an attacker. Therefore, the effort required to exploit this specific vulnerability is assigned a 1.

Vulnerability Factor

Because Contoso does not currently have any countermeasures for TCP/IP DoS attacks in place, it rated the vulnerability factor for this exploit a 9.

IIS Directory Traversal

A scan of the IIS servers identified a common directory traversal issue. The exploit of this vulnerability would allow an attacker not only to view information such as directory layouts and the contents of files on the target computer, but in many cases it would also allow the attacker to write files and execute commands on the servers.

Risk Statement

IF an attacker uses a double decode attack to exploit URL canonicalization issues, THEN a loss of integrity and confidentiality of the research IIS servers may result in an attacker gaining the ability to view the file system and run commands on the server.

Similar risk statements should be built for the departmental and human resources IIS servers as well.

Criticality Factor

The IIS directory traversal exploits can be quite dangerous because they can allow a remote user to launch some system commands from a Web server. However, IIS version 5.0 limits the context of these commands to run as the IUSR account. Nonetheless, there is a large risk presented by such an attack, prompting Contoso to assign it a CF of 7.

Effort

The effort to exploit IIS directory traversal is quite minimal. IIS directory traversal can be exploited using several different tools, but the easiest of these tools is simply a Web browser. Therefore, the effort assigned to this exploit is a 2.

Vulnerability Factor

Because Contoso has a number of IIS servers that do not have the latest patches and were not built according to IIS best practices, the company assigned the VF for this exploit on IIS servers a rating of 9.

Analyzing and Prioritizing Security Risks

Analysis

After a variety of assessments, enough information has been gathered to begin analyzing the security risks and prioritizing them based on their impact and exposure in Contoso's environment. Before building risk statements, it may be useful to consolidate the information in one table. Part of Contoso's risk analysis appears in the following table.

Table 4.5 Contoso Risk Assessment Summary

Threat

TP

Exploit

CF

E

Vulnerability

VF

Asset

AP

Malicious code

0.6

Code Red

9

1

ida/idq vulnerabilities

8

Research IIS servers

10

Malicious code

0.6

Code Red

9

1

ida/idq vulnerabilities

8

Department IIS servers

6

Malicious code

0.6

Code Red

9

1

ida/idq vulnerabilities

8

Human resources IIS servers

7

Attacker

0.6

A NetBIOS enumeration tool

6

2

Null sessions

10

Root domain controller

8

Attacker

0.6

A NetBIOS enumeration tool

6

2

Null sessions

10

Northamerica domain controller

8

Attacker

0.6

An SNMP enumeration tool

6

2

Public community strings

10

Root domain controller

8

Attacker

0.6

An SNMP enumeration tool

6

2

Public community strings

10

Northamerica domain controller

8

Attacker

0.6

Nslookup

2

1

Unlocked zone transfers

7

Root DNS

4

Attacker

0.6

Nslookup

2

1

Unlocked zone transfers

7

Northamerica DNS

5

Attacker

0.6

A brute-force password attack

10

2

Lack of password policies

10

Enterprise Admin accounts

10

Attacker

0.6

A brute-force password attack

10

2

Lack of password policies

10

Northamerica Domain Admin accounts

10

Attacker

0.6

A brute -force password attack

10

2

Lack of password policies

10

Northamerica user accounts

5

Attacker

0.6

A SMB sniffer

10

5

Unencrypted SMB traffic

10

Enterprise Admin accounts

10

Attacker

0.6

A SMB sniffer

10

5

Unencrypted SMB traffic

10

Northamerica Domain Admin accounts

10

Attacker

0.6

A SMB sniffer

10

5

Unencrypted SMB traffic

10

Northamerica user accounts

5

Attacker

0.6

A tool that can disable auditing

3

4

Ineffective auditing

9

Root domain controller

8

Attacker

0.6

A tool that can disable auditing

3

4

Ineffective auditing

9

Northamerica domain controller

8

Attacker

0.6

A tool that can disable auditing

3

4

Ineffective auditing

9

Research IIS servers

10

Attacker

0.6

A tool that can disable auditing

3

4

Ineffective auditing

9

Department IIS servers

6

Attacker

0.6

A tool that can disable auditing

3

4

Ineffective auditing

9

Human resources IIS servers

7

Attacker

0.6

A tool that can disable auditing

3

4

Ineffective auditing

9

File/Print servers

8

Attacker

0.6

A tool that can disable auditing

3

4

Ineffective auditing

9

WINS server

3

Attacker

0.6

A tool that can disable auditing

3

4

Ineffective auditing

9

DHCP server

1

Attacker

0.6

DoS attack

8

1

TCP/IP DoS vulnerabilities

9

Root domain controller

8

Attacker

0.6

DoS attack

8

1

TCP/IP DoS vulnerabilities

9

Northamerica domain controller

8

Attacker

0.6

DoS attack

8

1

TCP/IP DoS vulnerabilities

9

Research IIS servers

10

Attacker

0.6

DoS attack

8

1

TCP/IP DoS vulnerabilities

9

Department IIS servers

6

Attacker

0.6

DoS attack

8

1

TCP/IP DoS vulnerabilities

9

Human resources IIS servers

7

Attacker

0.6

DoS attack

8

1

TCP/IP DoS vulnerabilities

9

File/Print servers

8

Attacker

0.6

DoS attack

8

1

TCP/IP DoS vulnerabilities

9

WINS server

3

Attacker

0.6

DoS attack

8

1

TCP/IP DoS vulnerabilities

9

DHCP server

1

Attacker

0.6

A double decode attack

7

2

URL canonicalization issues

9

Research IIS servers

10

Attacker

0.6

A double decode attack

7

2

URL canonicalization issues

9

Department IIS servers

6

Attacker

0.6

A double decode attack

7

2

URL canonicalization issues

9

Human resources IIS servers

7

Threat Frequency Level

The threat frequency level (TL) is a measure of the expected frequency of attack, the potential for damage, and the effort required to perform the attack. This measurement can be found by multiplying the threat probability (TP) by the risk factor (RF). The RF is the criticality factor (CF) of the attack divided by the effort (E) required to perform the exploit.

Impact Factor

The impact factor (IF) also describes the potential loss. This number can be calculated by multiplying the vulnerability factor (VF) by the asset priority (AP).

Exposure Factor

Finally, the exposure factor (EF) of the risk can be calculated by multiplying the TL by the IF. The exposure factor of all risks can be compared to determine which risks should be addressed first in the organization.

Contoso Risk Analysis

Top Risks Identified

The top risks identified through the overall Security Risk Analysis process are summarized in the following table. The exposure factor was calculated by using the following formula:

EF = ((TF × IF) / 1000)

EF = (((TP × RF) × IF) / 1000)

EF = (((TP × (C / E)) × IF) / 1000)

In the most basic form formula becomes:

EF = (((TP × (C / E)) × (VF × AP)) / 1000)

Table 4.6 Top Risks Identified in Contoso's Environment

Vulnerability

Asset

EF

A brute-force password attack

Enterprise Admin accounts

0.6

A brute-force password attack

Northamerica Domain Admin accounts

0.6

DoS attack

Research IIS servers

0.432

Code Red

Research IIS servers

0.432

DoS attack

Root domain controller

0.3456

DoS attack

Northamerica domain controller

0.3456

DoS attack

File/Print servers

0.3456

Code Red

Human resources IIS servers

0.3024

DoS attack

Human resources IIS servers

0.3024

A brute-force password attack

Northamerica user accounts

0.3

Code Red

Department IIS servers

0.2592

DoS attack

Department IIS servers

0.2592

A double decode attack

Research IIS servers

0.189

A NetBIOS enumeration tool

Root domain controller

0.144

A NetBIOS enumeration tool

Northamerica domain controller

0.144

Additional Quantitative Analysis Tools

Often identifying and prioritizing the top risks in an organization is only the start of the risk analysis process. The next step is to determine either the remediation or mitigation steps required to address each risk identified in the organization. Although determining these steps may be fairly easy, implementing them may prove to be very difficult.

To justify the cost of the safeguards, additional information may be required. The following procedures can help determine the value of implementing certain remediation steps as part of the security project for the organization.

Single Loss Expectancy

Single loss expectancy (SLE) is a way to put a price tag on a particular computer or network. The SLE represents only one element of risk: the expected impact, monetary or otherwise, of a specific threat event. The SLE can be computed by multiplying the exposure factor of a given threat by the financial value of the asset (AV).

For example, the SLE for the impact of Code Red infecting the research IIS servers can be calculated by taking the Exposure Factor of 0.432 identified earlier and multiplying it by the research IIS server's AV of $596,000.

SLE = 0.432 X $596,000 = $257,472

Annualized Rate of Occurrence

The annualized rate of occurrence (ARO) is the probability of a threat occurring during a one-year time frame. For example, a threat occurring once in 10 years has an ARO of 1/10 or 0.1; a threat occurring 50 times in a given year has an ARO of 50.0. The possible range of frequency values is from 0.0 (the threat is not expected to occur) to some whole number that is completely dependent on the type and number of threat sources. In a large organization, some risks could occur thousands of times, resulting in a very high ARO.

In Contoso's environment, Code Red has been consistently infecting servers, so Contoso has seen that 25 out of 50 of its servers have been infected in the last year, providing an ARO of 1/2 or 0.5.

Annual Loss Expectancy

The annual loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO).

To effectively identify risk and to plan for budgetary cycles, it may be helpful to compute loss expectancy in annualized terms. For example, the ALE for Code Red as mentioned earlier with an ARO of 0.5 times a year that affects one of Contoso's IIS servers with a SLE of $257,472 is $128,736. When the expected threat frequency (ARO) is factored into the equation, the financial impact of the risk is accurately portrayed.

Value of Safeguards

If the estimated cost of safeguards can be established, and the annual recurring cost to maintain the countermeasure can be estimated, the overall value of implementing each safeguard can be determined. This process is the basis for meaningful cost-benefit analyses of risk reduction measures.

The value of a safeguard can be computed by taking the ALE and subtracting the initial cost of the countermeasure and the annual recurring cost of the countermeasure. Based on the risk analysis example of the equation, if a cost of $20,000 is estimated to implement a countermeasure to address the identified threat, and the annual cost of maintaining this countermeasure is $1,000, the value of the safeguard would be $128,736 ­ ($20,000 + $1,000), or $107,736.

Summary

This chapter applied the Security Risk Management Discipline (SRMD) to a common customer scenario. All the information provided for this applied example was based on actual data; however, this information represented only a fragment of the overall information required for an organization to perform a thorough security risk assessment. Including the entire risk analysis table or every security risk statement would have made the information provided in this chapter difficult to readily understand. Therefore, relevant examples were highlighted for quick reference and easy comprehension.

The SRMD is one of hundreds of ways to categorize and rate risks within an organization. This information can be used to augment existing policies and processes or to help an organization establish such standards for the first time.

The guidelines in this chapter were applied to develop a list of risks that were addressed with specific remediation steps. Now that that list has been generated, the next step is to identify the processes required to secure the listed vulnerabilities.

More Information

The security risk analysis was based on the Microsoft Solutions Framework (MSF) risk analysis process. For more information about MSF, see the Microsoft Solutions Framework Web site at www.microsoft.com/technet/itsolutions/msf/default.mspx.

Related Topics

The following work is a great reference to learn more about specific vulnerabilities within Windows 2000: